A Presentation at the NCSL Legislative Summit August 5, 2012

Christina A Cody Program Officer,

National Association of Regulatory Utility Commissioners

With support from the Department of Homeland Security Office of Infrastructure Protection

Cybersecurity is one element of all-hazards preparedness

Why Cyber? (cont’d.) ó Ubiquity of networks and dependency on them ó A network is cheaper, faster, more effective, and

ultimately enhances reliability ó Ease of launching a sophisticated attack ó Tools are freely available on the Internet (e.g.

Metasploit) ó Industry reliance on commercial software ó Evolution toward distributed networks ó Interdependencies between sectors

Why Cyber? ó In a 2011 Symantec survey, 71% of the organizations polled had come under

deliberate cyber-attack in the last 12 months.

Figure 1 Data source: IBM X-Force 2010 Trend and Risk Report (for the IT and Telecom sectors). http://www-958.ibm.com/software/data/cognos/manyeyes/visualizations/vulerabilities-per-year

Threats and Vulnerabilities ó Threat: The potential for an actor, circumstance or event to

adversely affect assets, people or organizational operations of the system. ó Vulnerability: A specific weakness in an information

system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.

Cyber Attacks Exist on a Continuum Low impact: ó Nuisance – low consequence ó Routine cyber attack common to all business networks ó Usually easier to detect and defend against Intermediate impact: ó Events that may involve damage to a single system component ó Unsophisticated, unstructured High impact: ó Directed against multiple assets designed to disable the system ó Highly-coordinated, well-planned ó Advanced Persistent Threat

Three Flavors Conventional IT Systems Control Systems “Smart Grid”

Electrical Infrastructure

+ + =

Interdependencies ó A pretty bad hypothetical scenario…

A very real threat ó April / May 2007: Estonian economy largely shut down by cyber attacks

originating in Russia over the relocation of a statue ó In April 2009, the Wall Street Journal stated Chinese and other spies

hacked into the U.S. electric grid and left behind computer programs that could allow them to disrupt service (since discredited)

ó 2009 cyber attacks on nation of Georgia prompted NATO comments ó Aurora: an experiment to hack control systems and destroy a generator

staged by the DOE and DHS; revealed by CNN ó STUXNET: computer worm created to attack Iran’s nuclear infrastructure –

only attacked designated targets ó Flame: out since at least 2010, discovered 2012, the most sophisticated of its

kind ó March 2012 cyber attack targeted US and Canadian natural gas pipelines’

computer systems ó In 2011 a malfunctioning water pump in Illinois was accessed from

Russia, prompting cyber attack fears (since discredited)* * Note: even attacks that have been discredited do not mean that the vulnerability did not

exist there: the attacks were credible enough to be reported.

National Attention / State Responsibility ó What’s missing? ó Enforceable Cybersecurity Rules for Distribution

(though some States have led in this area) ó Metrics for cybersecurity ó PUC/PSC cybersecurity expertise (emerging) ó Legislation

ó It may fall to State Commissions to ask questions and require performance

States’ Planning ó Cyber attack has physical consequences ó Where do state legislators come in? ó Executive branch oversight responsibility ó Talk to state agencies – and who else? Know the players ó Internal networks vs. Industry sectors ó Public/Private partnership perspective ó Working relationship with enterprise security side of operations

ó Understand the lay of the land – what’s the reality in your state?

ó Appropriations ó “Cybersecurity at home”

ó State energy assurance plans

What State Regulators Are Doing ó These are increasingly drivers for cost recovery consideration and other

contexts in cases ó NERC CIP compliance is driving new expenditures by utilities, but it is

not exhaustive ó Regulators are filling needed roles where NERC CIP does not cover,

such as in the area of distribution ó The deployment of smart grid increases instances

ó California ó Approved Smart Grid metrics (including cybersecurity)

ó Ohio ó Heavily involved in NIST SGIP Cyber Security Working Group activities ó Chair NARUC Staff Subcommittee on Critical Infrastructure

ó Texas ó Staff dedicated almost solely to cybersecurity ó Participation in various energy sector cybersecurity initiatives

Asking Questions ó The questions are only as good as your ability to

understand the answers and take intelligent action ó Sample Approaches to Information Protection ó “We can’t protect it so don’t share it” ó “We can’t protect it onsite but can see it at your site” ó “We can protect it in a special case” ó “We can protect it within a standard case with a secure

hearing” ó “We can protect it as a matter of course”

Department of Hurricanes ó Cyber secure utility operations is the domain of

utilities ó Defending against nation-state cyber attacks and

cyber terrorism are national defense and law enforcement matters

ó Effective cyber security takes utility/regulator / federal agency (DHS, etc.) partnership

ó Agencies like DOE (OE) and DHS are working on this issue,

ó But, we don’t have a Department of Hurricanes…

Compliance to Standards vs. Risk-Based Assessment ó Prevention - Protection – Recovery ó Mature security practices; highly refined ó Defense in Depth ó Principle of Least Privilege ó Segregation of Duties ó Need to Know ó Maintain Confidentiality, Integrity, Availability

ó No such thing as 100% Total Security, nor is there a silver bullet ó Strong protection has never been easy, inexpensive or quick

to implement ó There may be a tradeoff between functionality and security

Dynamic Defense ó Evolving threat, evolving defense ó Defense in Depth ó Principle of Least Privilege ó Segregation of Duties ó Need to Know ó Maintain Confidentiality, Integrity, Availability

ó No golden shield, no silver bullet ó Strong protection has never been easy, inexpensive or

quick to implement ó There may be a tradeoff between functionality and

security

Dynamic Defense (cont’d.) ó If defensive measures can be beaten, the system

should ensure the results of the attack are: ó Limited in consequence - protect the network if a

component is lost ó Unprofitable for attacker ó Hard enough to make the “juice” not worth the

“squeeze” ó Difficult to replicate ó Quickly and easily recoverable ó Traceable and easy to detect ó Otherwise unappealing

What States Can Do ó Understand the State’s internal cybersecurity profile ó Understand the current cybersecurity requirements

for the energy sector ó Determine whether there are cyber security plans in

place, and whether they are driven by State regulatory or Federal grants compliance. ó Consider and address the human element ó Understand future guidelines and standards under

consideration and how they affect the grid’s futures plans

Step One – Understand the State’s internal cybersecurity profile.

1. Understand cybersecurity risks at work and at home. Many States have guidance available. For an example see: http://www.michigan.gov/cybersecurity.

2. Identify the cybersecurity roles and responsibilities of individuals and organizations in State government.

3. Determine which State agency, if any, has lead and/or supporting roles and responsibilities in cybersecurity for smart grid implementation.

4. Know what the State’s Continuity of Operations Plans (COOP) and disaster recovery strategies are for essential IT systems.

5. Determine if it may be helpful to become a member of the FBI’s InfraGard Program: http://www.infragard.net/.

6. Become familiar with the U. S. Computer Emergency Readiness Team (US-CERT), which provides response support and defense against cyber attacks for the Federal Civil Executive Branch, as well as information sharing and collaboration http://www.fema.gov/government/coop/index.shtm

7. The SANS (SysAdmin, Audit, Network, Security) Institute is a good resource see: http://www.sans.org/reading_room/whitepapers/recovery/

Step Two – Understand current cybersecurity for the energy sector.

1. Electricity and smart grid: ó NERC -- Standards CIP-002 through CIP-009 (the Critical Cyber Asset Identification

portion of the Critical Infrastructure Protection Standards ó Section 1305 of Energy Independence and Security Act (EISA) 2007 defines the roles of

both Federal Energy Regulatory Commission and NIST as they relate to the development and adoption of smart grid standards. The Act defines the Commission’s role as: “At any time after the Institute’s work has led to sufficient consensus in the Commission’s judgment, the Commission shall institute a rulemaking proceeding to adopt such standards and protocols as may be necessary to insure smart-grid functionality and interoperability in interstate transmission of electric power, and regional and wholesale electricity markets.”

2. Understand the cybersecurity requirement for other parts of the energy sector including natural gas (pipeline safety standards) and the petroleum sector, because of the interdependency effects that need to be considered.

3. Under EISA 2007, NIST has "primary responsibility to coordinate development of a framework that includes protocols and model standards for information management to achieve interoperability of smart grid devices and systems…" ó One of the primary documents was issued in January 2010 and titled Framework and

Roadmap for Smart Grid Interoperability Standards, Release 1.0 (Framework).” ó The Framework identified 75 interoperability standards that are applicable, or are likely

applicable, to the ongoing development of smart grid technologies and applications. ó NIST developed Guidelines for Smart Grid Cyber Security.

Step Three – Understand future standards and guidelines currently under discussion and development

1. The Advanced Security Acceleration Project for the Smart Grid (ASAP-SG) is a utility-driven, public-private collaborative among DOE, EPRI, and a large group of leading North American utilities. ASAP-SG is developing system-level security requirements for smart grid applications, such as advanced metering, third party access for customer usage data, distribution automation, home area networks, and synchrophasors.

2. Over the next three years, the National Electric Sector Cyber Security Organization (NESCO) will be working with the National Electric Sector Cyber Security Organization Resources (NESCOR) to lead a broad-based, public-private partnership to improve electric sector energy systems cybersecurity

Step Four – Are there cybersecurity plans in place currently? Are they driven by State regulation, Federal grants compliance or other mechanisms?

1. Which requirements are Standards-driven? Which are not? 2. Are there regulatory efforts underway at a State public utility

commission to create audit, reporting and compliance obligations on cybersecurity for the utilities?

3. Are there State policies and programs that address cybersecurity? 4. How is your State approaching the public private partnerships as

provided for in the National Infrastructure Protection Plan (DHS) and the Energy Sector Specific Plan (DHS and DOE)

5. The ARRA Smart Grid Investment Grants program requires utilities to develop cyber security plans. These Grants require: ó A description of the cybersecurity risks at each stage of the system deployment

lifecycle. ó Cybersecurity criteria used for vendor and device selection. ó Cybersecurity control strategies. ó Descriptions of residual cybersecurity risks. ó Relevant cybersecurity standards and best practices. ó Descriptions of how the projects will support/adopt/implement emerging smart

grid security standards.

Step Five – Consider and address the human element of cyber security

1. Understand what the insider threat is and what policies and procedures are in place to prevent intrusion and manipulation.

2. Understand what social engineering is and how it can be used to access systems

3. Understand that technical solutions to security should account for human behavior, which can be driven by both cultural and psychological factors.

4. Understand the nature of the threat from employees, contractors, consultants, or anyone with short or long term access to IT systems, and know about system vulnerabilities.

5. Once this information has been developed it can be included in either: (1) the States emergency electrical response plans as it relates to how the private and public sector would respond to a cyber attack. (2) Longer term infrastructure assurance plans ( policy and programs) for reducing risks and vulnerabilities to cyber attack on the Energy Sector.

Personnel ó Deliberate vs. Inadvertent Breach ó Software Bugs; User Errors; Power System Equipment

Malfunctions; Communications Equipment Failure ó Deliberate Intrusions and Sabotage

ó Committing staff as a resource ó Training ó State Regulators don’t need to be cyber experts, but: ó They must know what questions to ask a utility (they will

return with answers!) ó Security theater is a waste of money ó Technology alone won’t solve the problem – people are

integral to security

Available Resources ó Standards and Guidelines:

ó Bulk Power System: NERC CIP Standards ó Smart Grid: NIST Interagency Report 7628 (NISTIR 7628)

http://csrc.nist.gov/publications/PubsNISTIRs.html ó NARUC has developed:

ó Cybersecurity for State Regulators with Sample Questions for Regulators to Ask Utilities: http://www.naruc.org/Grants/Documents/NARUC%20Cybersecurity%20Primer%20June%202012.pdf

ó NARUC Critical Infrastructure Committee http://www.naruc.org/committees.cfm?c=46

ó Monthly Cybersecurity Threat Briefings ó National Electric Sector Cyber Security Organization (NESCO): EnergySec

formed the NESCO organization as a Public-private partnership including Utilities, federal agencies, regulators, researches, and academics

ó National Electric Sector Cyber Security Organization Resource (NESCOR): EPRI was selected to serve as a research and analysis resource to the NESCO program and develop mitigation strategies, best practices and metrics

ó DOE Smart Grid Investment Grant (SGIG) Program: Required grant recipients to gather info and implement cyber security plans http://energy.gov/oe/technology-development/smart-grid/recovery-act-smart-grid-investment-grants

Available Resources (cont’d.) ó NASEO Smart Grid Report ó NARUC Primer ó AMI-SEC Task Force Advanced Metering Infrastructure (AMI) System Security

Requirements, December 2008. See http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.

ó ANSI/ISA-99, Manufacturing and Control Systems Security, Part 1: Concepts, Models and Terminology, 2007. See http://csrc.nist.gov/publications/fips/fips199/FIPSPUB-199-final.pdf.

ó ANSI/ISA-99, Manufacturing and Control Systems Security, Part 2: Establishing a Manufacturing and Control Systems Security Program, 2009. See http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.

ó Federal Bureau of Investigation, InfraGard program, InfraGard FBI Cyber Security Collaboration. See http://www.infragard.net/.

ó Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006. See http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf.

ó FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. See http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.

Available Resources (cont’d.) ó Idaho National Laboratory, Cyber Assessment Methods for SCADA

Security, 2005. See http://www.naseo.org/eaguidelines/documents/cybersecurity/SCADA_Security.pdf.

ó National Institute of Standards and Technology (NIST) Special Publication (SP), 800-39, DRAFT Managing Risk from Information Systems: An Organizational Perspective, April 2008. See http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spdsz.pdf.

ó North American Electric Reliability Corporation (NERC), Security Guidelines for the Electricity Sector: Vulnerability and Risk Assessment, June 2002. See http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.

ó Smart Grid Cyber Security Blog Spot. See http://smartgridsecurity.blogspot.com/.

ó U.S. Department of Homeland Security National Infrastructure Protection Plan, 2009. See http://www.dhs.gov/nipp.

Available Resources (cont’d.) ó U.S. Department of Homeland Security IT, telecommunications, and

energy sectors sector specific plans (SSPs), and updated tri-annually. See http://www.dhs.gov/files/programs/gc_1179866197607.shtm

ó U.S. Department of Energy (DOE) Office of Electricity Delivery and Energy Reliability (OE) and the Energy Sector Control Systems Working Group, Roadmap to Achieve Energy Delivery Systems Cybersecurity, September 2011. See http://www.cyber.st.dhs.gov/wp-content/uploads/2011/09/Energy_Roadmap.pdf

ó U. S. Computer Emergency Readiness Team (US-CERT), U.S. Department of Homeland Security. See http://www.us-cert.gov/.

ó American Petroleum Institute Security Guidelines for the Petroleum Industry, April 2005. See http://new.api.org/policy/otherissues/upload/Security.pdf

ó Idaho National Engineering and Environmental Laboratory A Comparison of Oil and Gas Segment Cyber Security Standards, November 2004. See http://www.naseo.org/eaguidelines/documents/cybersecurity/Comparison of Oil and Gas Security.pdf

Thank you!

Questions?

Christina Cody Program Officer, Grants and Research

NARUC ccody@naruc.org

(202) 898-2200, ext. 1002

U. S. Department of Homeland Security Office of Infrastructure Protection